Data Security in a Demanding Regulatory Environment
Data security regulation is accelerating many firms’ data protection processes, says Karl Schimmeck, Executive Vice President and CISO of Northern Trust. However, complying with multiple jurisdictions’ reporting regimes around privacy, incident disclosures, and decision process documentation can be tough. Rigorous incident management plans and structures simplify things but it’s important to remember compliance isn’t about checking boxes. It’s about reducing risk.
Regulation drives data protection: Meeting regulations is challenging when adequate data protection has different definitions in different jurisdictions – “GDR is a perfect example,” Schimmeck says. Leaders need to understand the key pieces of regulation – especially cybersecurity, data protection, and resilience –impacting financial services, because management is more involved than ever. Still, in most organizations, regulatory pressure is a tailwind that can push CISO’s modernization agenda forward in our increasingly high-expectation environment.
Regulators care about business continuity: Ultimately, regulators, security, and technology have the same concern: business continuity. Work with regulators to find the right balance between innovation and safety – but remember, regulators will want to know how operations were impacted and how problems are resolved. Schimmeck recommends knowing how your critical systems interact, your third-party dependencies, and how data flows across the businesses and systems, then plan how you’ll respond when continuity is impacted using a plan designed by specialists that produces consistent outcomes.
Leaders’ macro message: Accomplishing the CISO’s goals requires partnership across the entire firm – even areas that didn’t prioritize cybersecurity. The message from the top is that “at the end of the day,” Schimmek says, “we’re all risk managers.” He recommends building partnerships across the firm, including with business leaders, to address cybersecurity and operational resilience as enterprise-wide risks.
Where do you set the bar? Meeting the most stringent requirements of risk management and reporting is the most efficient approach, but it adds costs and complexity. Review your incident management and disclosure processes to ensure they can provide timely and accurate information to regulators. You may need to create other technology solutions to fulfill data protection requirements, but deciding your thresholds and planning your response early on saves time and headaches when an incident occurs. The difficulty is that even if you aim high, you may not have the information you need to meet materiality requirements in the time legally allotted.
Forecasting the compliance future: New technologies – think AI – are getting regulatory scrutiny. Ideally, financial services will get the freedom to test new tech in pilot projects within their risk appetites to learn, evolve, and make mistakes. The important thing is that we remember regulation is always about risk management and that data protection decisions aren’t compliance-driven, but by the commitment to reduce risk and maintain the public’s trust.
FinCyber Today
FinCyber Today is a podcast from FS-ISAC that covers the latest developments in cybersecurity, contemporary risks, financial sector resilience and threat intelligence.
Our host Elizabeth Heathfield leads wide-ranging discussions with cybersecurity leaders and experts around the world who bring practical ideas on how to confront cyber challenges in the financial sector, improve incident response protocols, and build operational resilience.
Amid the clutter and noise, FS-ISAC Insights is your go-to destination for clarity and perspectives on the future of finance, data, and cybersecurity from C-level executives worldwide.
© 2025 FS-ISAC, Inc. All rights reserved.
